CaysE

MBAM, HJT & GMER won't scan

7 posts in this topic

This is a WindowsXP system... I've noticed a persistent process called 2007516154:96229256.exe that cannot be terminated. Symptoms on the system include MS Security Essentials disabled, Windows Update disabled, Windows Firewall disabled, unable to re-enable any of these services, and Google search results redirect to liedersearch.net.

I was able to successfully run an MBAM scan in Safe Mode with Networking, while in every logon profile, which did detect a number of infections and cleaned them. However, when logging into Windows normally, the above process reappears and MBAM stops scanning and becomes disabled. The same happens with HiJack This. GMER installs but will not launch or scan, as errors pop up saying various system files are in use. Here are two of the errors that occured with GMER:

.

LoadDriver( "C:\DOCUME~1\Casey\LOCALS~1\Temp\pgpdafod.sys" ) error 0xC0000001: Cannot create a stable subkey under a volatile parent key.

.

C:\WINDOWS\system32\config\system: The process cannot access the file because it is being used by another process.

.

The only successful scan I've made in normal logon is DDS, which is below. I've also attached the attach.zip file from DDS. I have also run DeFogger with CD emulation currently disabled, and the log for that is at the bottom of this post. Thanks to this forum, I've managed to repair many rootkit infections, but this one eludes me. Please help.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Casey at 11:53:44 on 2011-10-03

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.265 [GMT -4:00]

.

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\2007516154:96229256.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EPSON Stylus C80 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P23 "EPSON Stylus C80 Series" /O6 "USB001" /M "Stylus C80"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: NoSetActiveDesktop =

uPolicies-system: DisableTaskMgr =

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198959242963

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

TCP: DhcpNameServer = 167.206.245.129 167.206.245.130

TCP: Interfaces\{EB2FDEA7-DE37-46CC-A115-C93C5C1461D7} : DhcpNameServer = 167.206.245.129 167.206.245.130

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 95.64.61.137 www.google.com

Hosts: 95.64.61.138 www.bing.com

.

============= SERVICES / DRIVERS ===============

.

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-9-2 23624]

.

=============== Created Last 30 ================

.

2011-10-03 01:33:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-03 00:43:54 -------- d-sh--w- c:\documents and settings\casey\IECompatCache

2011-10-03 00:17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-02 23:15:03 -------- d-sh--w- c:\documents and settings\casey\PrivacIE

2011-10-02 19:10:55 -------- d-----w- c:\program files\ESET

2011-10-02 18:59:32 -------- d-----w- c:\windows\pss

2011-09-10 21:15:30 -------- d-----w- c:\documents and settings\all users.windows\application data\Trymedia

2011-09-10 21:15:25 -------- d-----w- c:\program files\Elf Bowling - Bocce Style!

2011-09-06 16:25:45 -------- d-----w- c:\program files\NortonInstaller

2011-09-06 16:25:45 -------- d-----w- c:\documents and settings\all users.windows\application data\NortonInstaller

2011-09-06 16:24:26 -------- d-----w- c:\documents and settings\all users.windows\application data\Norton

2011-09-06 15:53:17 21376 ----a-w- c:\windows\system32\drivers\3db8dd44562e7967.sys

.

==================== Find3M ====================

.

2011-09-03 00:28:33 43408 --sha-w- c:\windows\system32\c_73280.nl_

2011-09-03 00:28:22 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-09-02 20:17:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\gueg.exe

2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\glha.exe

2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\bacl.exe

2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\alal.exe

.

============= FINISH: 11:55:23.13 ===============

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 11:53 on 03/10/2011 (Casey)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Unable to read 3db8dd44562e7967.sys

Unable to read tsbvcap.sys

Unable to read tunmp.sys

Unable to read uagp35.sys

Unable to read udfs.sys

Unable to read update.sys

Unable to read usb8023.sys

Unable to read usb8023x.sys

Unable to read usbcamd.sys

Unable to read usbcamd2.sys

Unable to read usbccgp.sys

Unable to read usbd.sys

Unable to read usbehci.sys

Unable to read usbhub.sys

Unable to read usbintel.sys

Unable to read usbport.sys

Unable to read usbprint.sys

Unable to read usbscan.sys

Unable to read usbstor.sys

Unable to read usbuhci.sys

Unable to read usbvideo.sys

Unable to read vdmindvd.sys

Unable to read vga.sys

Unable to read viaagp.sys

Unable to read videoprt.sys

Unable to read volsnap.sys

Unable to read wacompen.sys

Unable to read wadv01nt.sys

Unable to read wadv02nt.sys

Unable to read wadv05nt.sys

Unable to read wadv07nt.sys

Unable to read wadv08nt.sys

Unable to read wadv09nt.sys

Unable to read wadv11nt.sys

Unable to read wanarp.sys

Unable to read watv01nt.sys

Unable to read watv02nt.sys

Unable to read watv04nt.sys

Unable to read watv06nt.sys

Unable to read watv10nt.sys

Unable to read wch7xxnt.sys

Unable to read wdmaud.sys

Unable to read wmilib.sys

Unable to read wpdusb.sys

Unable to read ws2ifsl.sys

Unable to read wsiintxx.sys

Unable to read WudfPf.sys

Unable to read WudfRd.sys

Unable to read wvchntxx.sys

-=E.O.F=-

attach.zip

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Share this post


Link to post
Share on other sites

Thank you, screen317. Unfortunately I had to leave so I no longer have access to the computer for the time being, but I will post again when I return next month. My apologies.

Share this post


Link to post
Share on other sites

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.